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Abstract 



^\ , The complexity of quantum computation remains poorly understood. While physicists at- 

tempt to find ways to create quantum computers, we still do not have much evidence one way 
or the other as to how useful these machines will be. The tools of computational complexity 
theory should come to bear on these important questions. 

Quantum computing often scares away many potential researchers from computer science 
because of the apparent background need in quantum mechanics and the alien looking notation 
C*") \ used in papers on the topic. 

This paper will give an overview of quantum computation from the point of view of a 
complexity theorist. We will see that one can think of BQP as yet another complexity class 
and study its power without focusing on the physical aspects behind it. 



o 
o 
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1 Introduction 

When one starts looking at quantum computation an obvious question comes to mind: Can quantum 
computers be built? By this I mean can one create a large reliable quantum computer — perhaps to 
factor numbers using Shor's algorithm [3ho97] faster than any classical computer can factor. There 



has been some success creating in creating quantum machines with a tiny number of bits, we have 
many physical and engineering issues to overcome before a large scale quantum machine can be 
realized. 

As a computational complexity theorist, I would like to consider a different and perhaps more 
important question: Are quantum computers useful? In other words, even if we can build reason- 
able quantum machines, will they actually help us solve important computational problems not 
attainable by traditional machines. Realize that the jury is still out on this issue. Grover's algo- 
rithm |Gro96| 1 gives only a quadratic speed-up, which means that a quantum machine will have to 
approach speeds of a traditional computer (on the order of a trillion operations per second) before 
Grover overtakes brute-force searching. 

Shor's quantum algorithms for factoring and discrete logarithm [ |Sho97 | give us better examples. 



Here we achieve an exponential speed-up from the best known probabilistic algorithms. Factoring 
alone does not make quantum computing useful. Consider the following paragraph from Shor's 
famous paper R5ho97| , p. 1506]: 



* Based on a talk presented at the Second Workshop on Algorithms in Qu antum Information Processing at D ePaul 



University , Chicago, January 21, 1999. Realaudio of the tal k is available at http://www.cs.depaul.edu/aqip99 
^URL: |http: / /www. neci.nj.nec.com/homepages/fortnow . Email: fortnow@research.nj.nec.com 
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Discrete logarithms and factoring are not in themselves widely useful problems. They 
have become useful only because they have been found to be crucial for public-key cryp- 
tography, and this application is in turn possible only because they have been presumed 
to be difficult. This is also true of the generalizations of Boneh and Lipton |BL95 | of 



these algorithms. If the only uses of quantum computation remain discrete logarithms 
and factoring, it will likely become a special-purpose technique whose only raison d'etre 
is to thwart public key cryptosystems. 

How useful can quantum computing be? What is the computational complexity of BQP, the 
class of efficiently quantum computable problems. Does BQP contain NP-complete problems like 
graph 3-colorability? What is the relationship of BQP and other more traditional complexity 
classes like the polynomial-time hierarchy? 

These questions are well suited for computational complexity theorists. Many researchers 
though shy away from quantum complexity as it appears that a deep knowledge of physics is 
necessary to understand BQP. Also most papers use a strange form of notation that make their 
results appear more difficult than they really are. 

This paper argues that one can think about BQP as just a regular complexity class, not 
conceptually much different than its probabilistic cousin BPP. We develop a way of looking at 
computation as matrix multiplications and exhibit some immediate effects of this formulation. We 
show that BQP is a rather robust complexity class that has much in common with other classes. 
We argue that BQP and BPP exhibit much of the same behavior particularly in their ability to 
do searching and hiding of information. 

While this paper does not assume any knowledge of physics, we do recommend a familiarity 



with basic notions of complexity theory as described in Balcazar, Diaz and Gabarro [BDG88]. 



2 Computation as Matrix Multiplication 

Consider a multitape deterministic Turing machine M that uses t(n) time and s(n) space. Let 

us also fix some input x in {0, l} n and let t = t(n) and s = s(n). We will assume t(n) > n and 

s(n) > logn are fully time and space constructible respectively. We will always have t(n) < s(n) < 
2 0(t(n))_ 

Recall that a configuration c of machine M on input x consists of the contents of the work 
tapes, tape pointers and current state. We will let C be the number of all configurations of M on 
input x. Note that a read-only input tape is not considered as part of the configuration and thus 
we have C = 2°W . 

For most of the paper, we will refer to the polynomial-time case, where t(n) = and 
s (n) = 2*W = 2™ 0(1> . 

Fix an input x. Let cj be the initial configuration of M{x). We can assume without loss of 
generality that M has exactly one accepting configuration ca and that once M enters ca it remains 
in ca- 

Define a C x C transition matrix T from the description of the transition function of M. Let 
T(c a , Cb) = 1 if one can get from c a to q, in one step and T(c a , c&) = otherwise. 

Observation 2.1 For any two configuratiofis c a and T r {c a ^ c b ) = 1 if and only if M on input 
x in configuration c a when run for r steps will be in configuration Cb ■ 

In particular we have that M(x) accepts if and only if T*(cj, ca) = 1. 
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Now what happens if we allow M to be a nondeterministic machine. Let us formally describe 
how the transition function 8 works for a fc-tape machine (along the lines of Hopcroft and Ull- 
JHU71). 

5 : Q x S x T k x Q x T fc x {L, R} k+1 -► {0, 1} 



man 



Here Q is the set of states, £ is the input alphabet and V the tape alphabet. The transition 
function 5(q, a, b\, . . . , b k ,p, c±, . . . , c&, do, d%, . . . , dk) takes the value one if the transition from state 
q looking at input bit a and work tape bits b\, 62, . . ., b k moving to state p, writing c\, . . ., c k on 
the work tapes, moving the input head in the direction do and the tape heads in directions d\, . . ., 
dk respectively is legal. 

This 5 function yields again a transition matrix T in the obvious way: If it is possible to reach 
Cb from c a in one step then T(c a , c&) = 1. If it is not possible to go from c a to q, in one transition 
then T(c a ,c b ) = 0. 

A few notes about the matrix T: Most entries are zero. For polynomial-time computation, 
given c a , c& and x one can in polynomial-time compute T(c a ,q,), even though the whole transition 
matrix is too big to write down in polynomial-time. 



Observation 2.1 has a simple generalization: 



Observation 2.2 For any two configurations c a and q,, T r (c a ,Cb) is the number of computation 
paths from c a to q, of length r. 

We now have that M on input x accepts if and only if T f (ci, ca) > 0. 

We can define #M(x) = T*(c/, ca) as the number of accepting paths of machine M on input x. 



For polynomial-time machines this yields the #P functions first defined by Valiant [ Val7S ] 



Now interesting events happen when we allow our 6 function to take on nonbinary values. First 



let us consider 5 taking on nonnegative integers. We get a further generalization of Observations 2.1 



and 2.2: 



Observation 2.3 The value of T r '(c a ,Cb) is the sum over all computation paths from c a to q, of 
the product of the values of 5 over each transition on the path. 

What kind of functions do we get from T*(c/,ca) for polynomial-time machines? We still 
get exactly the #P functions. Suppose that we have a T(c a ,Cb) = k. We simply create a new 
nondeterministic Turing machine that will have k computation paths, of length about log k, from 
c a to Cb- This will only increase the running time by a constant factor. 

Now suppose we allow our 5 function to take on nonnegative rational values. Remember that 
the 5 function is a finite object independent of the input. Let v be the least common multiple of 
the denominators of all the possible values of the 5 function. Define (5* = vS. Let T and T* be the 
corresponding matrices for 5 and 5* respective. Note T* = vT. 

The values T* still capture the #P functions. We also have T* = T~/v . Since v t is easily 
computable this does not give us much more power than before. 

We can use a restricted version of this model to capture probabilistic machines. Probabilistic 
machines have 

5 : Q x S x T k x Q x T k x {L, R} k+1 -» [0, 1] 
with the added restriction that for any fixed values of q, a and b\, . . . , 

X! S(q,a,h, . . . ,b k ,p,ci, . . . ,c k ,do,di, . . . ,dk) = 1. 

p,ci,...,c k ,do,di,...,d k 
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What does this do to the matrices T? Every row of T sums up to exactly one and its entries 
are all range in between zero and one, i.e., the matrices are stochastic. Note also that stochastic 
matrices preserve the L\ norm, i.e., for every vector u, L\(u ■ T) = L\(u). These observations will 
be useful to us as we try to understand quantum computation. 

Now T f (ci,CA) computes exactly the probability of acceptance of our probabilistic machine. 
Keep in mind that T still is mostly zero and although the matrix T is exponential size, the entries 
are easily computable given the indices. 

We can define the class BPP: A language L is in BPP if there is a probabilistic matrix T as 
described above and a polynomial t such that 

• For x in L, we have T*(cj, ca) > 2/3. 

• For x not in L, we have T^cj,^) < 1/3. 

Using standard repetition tricks to reduce the error we can replace 2/3 and 1/3 above with 1 — 2 ^Cl^l) 
and 2~ p ^ x ^ for any polynomial p. 

Let us make some variations to the probabilistic model. First let us allow 5 to take on arbi- 
trary rational values including negative values. Since the value T* may be negative we will use 
(T*(cj, ca)) 2 as our "probability of acceptance". Finally instead of preserving the L\ norm, we 
preserve the L 2 norm instead. That is for every vector it, we have 



L 2 (T(u)) = L 2 (u) = ^>*. 

Unlike the L\ norm, preserving the L 2 norm is a global condition, we cannot just require that the 
squares of the values of the 5 function add up to one. Matrices that preserve the L 2 norm are called 
unitary. 

This model looks strange but still rather simple. Yet this model captures exactly the power of 
quantum computing! 

We can define the class BQP: A language L is in BQP if there is a quantum matrix T as 
described above and a polynomial t such that 

• For x in L, we have (T*(cj, ca)) 2 > 2/3. 

• For x not in L, we have (T*(cj, ca)) 2 < 1/3. 



3 Questions 

For those who have seen quantum computing talks in the past, many questions may come up. 



3.1 Where's the physics? 

The presentation of quantum computing above is based mostly on the computation model developed 
by Bernstein and Vazirani [BV97]. We have presented the model here as another complexity model. 
It does however capture all of the physical power and rules of quantum computation. 

Can one study quantum computation without a deep background in quantum mechanics? I say 
yes. I drive a car without much of a clue as to what a carburetor does. I can program a classical 
computer and do research on the computational complexity of these computers even though I 
do not have a real understanding of how a transistor works. I often do research on theoretical 
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computation models such as nondeterminism that have no physical counterpart at all. Given a 
good model of a quantum computer, computer scientists can study its computational abilities 
without much knowledge of the physical properties of that model. 



3.2 Where's the (bra| and |ket) notation? 

When researchers in two disciplines try to work they usually find that language forms a major wall 
between them. Not the base spoken language, but the notation and definitions each one assumes 
that every first-year graduate student in the field knows and follows. In quantum computing, 
generally physics notation has prevailed, leading to one of the major barriers to entering the area. 

Physicists generally use the Dirac bra-ket notation to represent base quantum states. When 
computer scientists see this notation, it looks quite foreign and many assume that the complexity 
of the notation reflects some deep principles in quantum mechanics. Nothing could be further from 
the truth as the bra-ket notation represents nothing more than vectors. 

The notation |010) is called a "ket" and represents the string 010. In general \x) with x G {0, l} k 
represents the string x. Concatenation is concatenation: |x)|y) = \xy). The strings of length k 
form the basis of a vector space of dimension 2 k . These basis vectors roughly correspond to the 
configurations described in Section ||. 

Now, there is also a "bra" and various rules that apply when putting bras and kets together 
but these rarely come into play in quantum computing. For the interested reader there are many 



sources one can read on the subject such as Preskilks lecture notes [Pre98]. 

Why does the simple looking notation cause such confusion for computer scientists? This 
notation does not conform to computer science conventions, particular to that of symmetry. When 
we consider vectors or other groupings of objects, computer scientists always use symmetric brackets 
such at (8,3,4), [0. . . 1], (a + b)* and When typical computer scientists look at a character like 
")" or "|" that does not have a counterpart, they consider these as relational operators, making 
equations like 

lMy)) = Tp^- 1 )^ = ^ " 7fll y > [BBBV97, p. 1514] (1) 

impossible even to parse. 

As this paper suggests, one does not need to know Dirac notation to understand the basics of 
quantum computation. Unfortunately one is forced to learn it to follow the communication in the 
field. 

If theoretical computer scientists collaborate then they must learn ETgX. It does not matter 
if they like some other mathematical document software, they have to use DTj]X if they wish to 
write papers with other computer scientists. 

Likewise if you want to truly study quantum computation you will need to learn the Dirac 
notation. One can easily develop more natural notation for computer scientists but we have already 
lost the battle. Eventually the notation becomes easier to parse and follow and formulas like 
Equation (|l]) seem almost normal. I find it a shame though that computer scientists find it difficult 
to go to talks on quantum computing not so much because of the complexity of the subject matter 
but because of the abnormal notation. 



5 



3.3 Don't we need arbitrary real and complex numbers to do quantum compu- 
tation? 



In short no. The physics definition allows arbitrary real and complex entries as long as the matrices 
are unitary. This by itself limits the values to have absolute value at most one. But one can do 
much better. 



If we allow all possible reals, BQP can accept arbitrarily complicated languages [ADH97]. 
However this result feels like cheating — basically you encode hard languages directly into the entries 
of the matrix. Thus one requires knowing the language ahead of time to create the machine. A 
similar trick can also be played with probabilistic machines using noncomputable probabilities. 

For fairness we should only allow efficiently computable matrix entries, where we can compute 



the ith bit in time polynomial in i. Independently Adleman, DeMarrais and Huang [ADH97] and 



Solovay and Yao ||5Y96 | show that we can simulate a BQP machine using efficiently computable 



entries from the set {—1, — |, — | , 0, |, |, 1}. Or you can get away with fewer numbers if you don't 
mind an irrational: { — 1, — \/2, 0, \/2, 1}. 

3.4 Don't we have to require the computation to be reversible? 

The matrix T as well as any power of T is unitary, i.e. it preserves the L2 norm. For real valued 
matrices, T is unitary if and only if the transpose of T is the inverse of T. The reader should try 



the proof himself or it can be found in Bernstein and Vazirani [BV97, p. 1463]. 

In particular this means that T is invertible. Even more so the inverse of T is itself unitary. If 
you have a vector v over the configurations that gives the value for each configuration, let w = T(v). 
We then have T _1 (ti;) = v. Given the current entire state of the system we can reverse it to get 
the previous state. 

Don't think of reversibility as a requirement of quantum computing rather as a consequence. 
Nevertheless keep in mind that in creating a quantum algorithm at a minimum you will need to 
create a reversible procedure. 

3.5 What if there are many accepting configurations? 

For traditional models of computation we can usually assume only one accepting configuration. We 
do this by a cleanup operation — after the machine decides to accept we erase the work tapes, move 
the head to the left and enter a specified final accepting state. 

This procedure will not work for quantum computation since it is not reversible. Bennett, 



Bernstein, Brassard and Vazirani [BBBV97] show an interesting way to get around this problem: 
Compute whether the quantum machine accepts. Copy the answer to an extra quantum bit. Then 
reverse the whole process. The unique accepting state is now the initial state with this extra bit 
turned on. 

3.6 Don't we have to allow measurements? 

Our formulation of BQP does not appear to contain any measurements. In fact we are simulating 
a measurement at the end. A BQP machine will output "accept" with probability equal to the 
sum of the squares of the values of the accepting configurations. We have only one accepting 
configuration so we need just consider (T*(c/, ca)) 2 - 

One could consider a process that allows measurements during the computation. Bernstein and 



Vazirani [BV97] show that we can push all of the measurements to the end. Basically measurements 
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are linear projections and we can simulate a measurement by doing a rotation and taking one big 
projection at the end. 



4 Full Robustness 

Section ||] points to the fact that BQP is quite a robust complexity class. Bernstein and Vazi- 
ram pV97| show two more important facts: That BQP can simulate any deterministic or prob- 



abilistic polynomial-time algorithm and BQP BC ^ P = BQP. In other words we can do quantum 
subroutines and build that directly into the quantum computation. The proofs of these facts are 
technically quite complicated but here a few points to think about. 



Note that a deterministic computation might not be reversible but Bennett [Ben89] showed 
how to simulate any deterministic computation by a reversible computation with only squaring the 
computation time. 

Flipping a truly random coin seems inherently nonreversible: Once flipped how does one re- 
cover the previous state? Quantum computing does have one nonreversible operation known as 
measurements. One can simulate truly random coin tosses using measurements, or as described in 



Section |3.6| simulating a measurement and doing it at the end. 

From these results we can use that standard error reduction techniques to reduce the error in 
a quantum algorithm to 2~ p ( n ^ where p is a polynomial and n is in the length of the input. 

Other complexity classes such as the zero-error version of BQP (denoted EQP or QP) may 
not have some of the nice robust properties of Section || since approximating the matrix entries 
would no longer keep us in the class. 

Space-bounded classes also lack some of the robustness of BQP. For example if we do not allow 
a measurement until the end even simulating coin flips becomes difficult: we cannot reuse the coins 
and keep reversibility. See Watrous [ Wat99b | for a discussion. 



5 Using This Formulation 

Once you have the formulation of quantum machines described in Section [|, one immediately gets 
interesting results on quantum complexity. 

5.1 AWPP 

Suppose we remove the unitary restriction in the definition of BQP in Section ||. This yields the 
class AWPP. Li ||Li93 | and Fenner, Fortnow, Kurtz and Li [ FFKL93j ] defined and studied the class 



AWPP (stands for Almost- Wide Probabilistic Polynomial-time) extensively. They showed many 
interesting results for this class. 

1. AWPP C PP C P SPACE, where PP is the set of languages accepted by a probabilistic 
polynomial-time Turing machine where we only require the error probability to be smaller 
than one-half. 

2. The class AWPP is low for PP, i.e., for any language L in AWPP, PP L = PP. 

3. If P = P SPACE then relative to any generic oracle G, P G = AWPP G . This implies that 
without any assumption there is a relativized world A such that P A = AWPP 71 and the 
polynomial-time hierarchy is infinite. 
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4. There exists a relativized world where AWPP does not have complete sets, in fact where 
AWPP has no sets hard for all of BPP. 



Relativization results show us important limitations on how certain techniques will solve problems 
in complexity theory. For a background on relativization see the survey paper by Fortnow |For94 1 . 

Fortnow and Rogers [ [FR96 ] observed that BQP C AWPP basically falls out of the character- 
ization given in Section |2[ From this we have several corollaries. 



1. BQP CPPC PSPACE [|ADH97| 

2. The class BQP is low for PP. 

3. There exists a relativized world where P 
infinite. 



BQP and the polynomial-time hierarchy is 



There exists a relativized world where BQP has no complete sets, not even any sets hard for 
BPP. 



5.2 Decision Trees 



The oracle results mentioned in Section 5.1 follow from results on decision tree complexity that 



have interest in their own right. Consider the situation where we wish to compute a function from 
{0, 1}^ to {0, 1} where access to the input is limited as oracle questions. Here the complexity 
measure is the number of queries needed to compute the function, not the running time. 

Beals, Buhrman, Cleve, Mosca and de Wolf [BBC + 98] show how to vary the matrix model 
of Section ^ to create special linear transformations that describe a reversible oracle query. One 
can interleaves matrices describing these transformations with the unitary matrices given by the 
computation of the Turing machine. 

Grover |Gro96 | shows how to get a nontrivial advantage with quantum computers: He shows 
that computing the OR function needs only 0(yN) queries although classically Q(N) input bits 
are needed in the worst case. 

Bernstein and Vazirani [BV97] give a super polynomial gap and Simon |{Sim97 | gives an expo- 
nential gap. Both of these gaps require that there are particular subsets of the inputs to which / 
is restricted. 



Beals, Buhrman, Cleve, Mosca and de Wolf [ BBC + 98 ] notice that the characterization given in 



Section |2| shows that any quantum decision tree algorithm making t queries is a polynomial in the 
queries of degree at most It. 

Nisan and Szegedy [NS94| show that if a polynomial of degree d on {0, 1}^ approximates 
the characteristic function of some language L C {0, 1}^ then L has deterministic decision tree 
complexity polynomial in d. 

Combining these ideas, if there is a quantum algorithm computing a function / defined on 
all of {0, 1}^ and using t queries then there exists a deterministic algorithm computing / using 
polynomial in t queries. 



6 Probabilistic versus Quantum 

Often one hears of the various ways that quantum machines have advantages over classical compu- 
tation, for example, the ability to go into many parallel states and that states can be entangled with 
each other. In fact often these properties occur in probabilistic computation as well. The strength 
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of quantum computing lies in the ability to have bad computation paths eliminate each other thus 
causing some good paths to occur with larger probability. The ability for quantum machines to 
take advantage of this interference is tempered by their restriction to unitary operations. 

Suppose you videotape a football game from the television. Let us say the teams are evenly 
matched so that either team has an equal probability of winning. Now make a copy of the tape 
without watching it. Now these videotapes are in some sense entangled. We don't know who won 
the game until we watch it but both outcomes will be the same. I can take a videotape to Mars 
and watch it there and at the end I will instantaneously know the outcome of the game on the 
other tape. 

Entanglement works quite differently for quantum computing. In particular the videotape 
model fails to capture quantum entanglement — no "hidden variable" theory can capture the effects 
of quantum entanglement (see a discussion in Preskill | Pre98f| ). However we should not consider 
entanglement to be of much help in the power of BQP. 

When it comes to parallelism there is really no difference between probabilistic and quantum 
computation. Consider the value T^(ci,c A ) expanded as follows: 

T\c I ,c A )= T(c I ,c 1 )T(a,c 2 ) ■ ■ •T(c i _2,Q_i)T(c t _i,CA) 

Cl,...,C t -l 

One can think of the vector (ci, . . . , ct-i) as describing a computation path, the value 

T(a, ci)T(ci, c 2 ) • • • T(ct-2, q_i)T(q_i, c a ) 

as the value along that path and the final value as the sum of the values over all paths. 

Did this view of parallelism depend on whether we considered quantum or probabilistic com- 
putation? Not a bit. 

Where does the power of quantum come from? From interference. For probabilistic computation 
the value 

T(cj, ci)T(a, c 2 ) • • • T(ct-2, q_i)T(q_i, c a ) 

is always nonnegative. Once a computation path has a positive value it is there to stay. For quantum 
computation the value could be negative on some path causing cancellation or interference. This 
allows other paths to occur with a higher probability. The restriction of quantum computers to 
unitary transformations limits the applications of interference but still we can achieve some useful 
power from it. 

6.1 Searching versus Hiding 

Randomness plays two important but quite different roles in the theory of computation. Typically 
we use randomness for searching. In this scenario, we have a large search space full of mostly good 
solutions. Deterministically we can only look in a relatively small number of places and may miss 
the vast majority of good solutions. By using randomness we can, with high probability, find the 
good solutions. Typical examples include primality testing |5S77 l and searching undirected graphs 
in a small amount of space |AKL + 79| . 

However these randomness techniques appear to apply to only a small number of problems. 
Recent results in derandomization indicate we probably can do as well with deterministically chosen 
pseudorandom sequences. 

We also use randomness to hide information. A computer, no matter how powerful, cannot 
predict the value of a truly random bit it cannot see. Hiding forms the basis of virtually all 
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cryptographic protocols. Hiding also plays an important role in complexity theory. The surprising 
strength of interactive proof systems LFKN92 , 3ha92 , BFL91, ALM + 92 | comes from the inability 
of the prover to predict the verifier's future coin tosses. 

We have the same dichotomy between searching and hiding in quantum bits. For quantum 
searching we do not necessarily require that most paths have high probability. The use of quantum 
interference allows us to find some things with certain kinds of structure. Shor's algorithms for 
factoring and discrete logarithm [3ho97] form the obvious example here. 

While we do not expect that there exists any notion of quantum pseudorandom generators, at 
the moment we still only have a limited collection of problems where quantum search greatly helps 
over classical methods. 

Quantum hiding, like its probabilistic counterpart, has a powerful effect on computation theory. 
Not only can no computer predict the value of a quantum bit not yet measured but the quantum 
bit cannot be copied and any attempt at early measurement will change the state of the quantum 
bit. 

Quantum bits do have one disadvantage over probabilistic bits. When we flip a probabilistic 
coin the original state has been irrevocably destroyed. The reversibility of quantum computation 
prevents destroying quantum state. However, we can get around this problem by using classical 
probabilistic bits to determine how to prepare the quantum states. We can always get classical 
probabilistic bits by measuring an appropriate quantum state. 

Quantum hiding in this manner gives powerful tools for quantum cryptography [BBE92] and 
quantum interactive proof systems [ Wat99a | that go beyond what we believe possible with classical 
randomness. 



7 Future Directions 

Quantum computation is ripe for complexity theorists. There are still many fundamental questions 
remaining to be solved. 

Is NP in BQP? While we probably cannot answer that problem directly we could show some 
unlikely consequences like the polynomial-time hierarchy collapses. 

Does BQP sit in the polynomial-time hierarchy? The only evidence against this comes from 



Bernstein- Vazirani [BV97|. In their paper they create a relativized world A and a language L that 
sits in EQP A C BQP A but not BPP A . We cannot prove that L sits in the polynomial-hierarchy 
relative to A. However the language L does sit in deterministic quasipolynomial (2 los ° (1> ™) time and 
by an alternating Turing machine that uses only polylogarithmic alternations where these machines 
have access to A. So while we may find it difficult to show BQP is in the polynomial-time hierarchy, 
we could show that every language in BQP is accepted by some alternating Turing machine using 
polylogarithmic alternations and/or polynomial-time. 

For such results we will need more than the fact than BQP sits in AWPP as described in 



Section |5.l| . Relative to random oracles NP is in AWPP and there exist relative worlds where an 
infinite polynomial-time hierarchy sits strictly inside of AWPP. Somehow we will need to make 
better use of the unitary nature of the quantum transformations. 

Shor's algorithm shows that quantum machines can defeat many commonly used cryptographic 
protocols. Can we create one-way functions that no quantum machine can invert better than 
random guessing? Perhaps we will need such functions computed by quantum machines as well. 

Maybe quantum relates to other classes out there? Is BQP equivalent to the problems having 
statistical zero-knowledge proof systems? This seems far fetched but we have no evidence against 
this. 



10 



For further reading I recommend that the reader get a hold of SIAM Journal on Computing 
Volume 26 Number 5 (1997). Half of this issue is devoted to quantum computation and as one can 
see from the references it has many of the important papers in the area. 

Preskill's course notes [ Pre98| ] give a detailed description of quantum computation from the 
physicists' point of view. Books on the quantum computation are also starting to appear. An early 
book by Gruska [Gru9£] gives a broad range of work on quantum computation. 
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